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Abstract 

In this paper, we describe a proof-of-concept implementation of the probabilistically checkable proof 
of proximity (PCPP) system described by Ben-Sasson and Sudan in [BSS05]. In particular, we implement 
a PCPP prover and verifier for Reed-Solomon codes; the prover converts an evaluation of a polynomial 
on a linear set into a valid PCPP, while the verifier queries the evaluation and the PCPP to check that 
the evaluation is close to a Reed-Solomon codeword. We prove tight bounds on the various parameters 
associated with the prover and verifier and describe some interesting programmatic issues that arise 
during their implementation. 

1 Introduction 

A probabilistically checkable proof (PCP) system specifies a format for writing proofs that can be verified 
efficiently by querying only a few bits. Formally, a PCP system consists of an input string, a source of 
random bits, a proof string, and a probabilistic polynomial-time Turing machine called the verifier. The 
verifier has random access to the proof; given an address of a location in the proof, the verifier can query 
that location in the proof as a single oracle operation. A PCP verifier V with perfect completeness and 
soundness s(n) for the language L satisfies the following conditions: 

• For every input x in L, there is a proof n such that V accepts with probability 1. 

• For every input x not in L and for every proof n, V accepts with probability less than s(n). 

Furthermore, a language L is said to be in PCP[r(n),g(n)] if there is a PCP verifier for L that on each 
input of size n uses at most r{n) random bits and queries at most q(n) bits of the proof. The celebrated 
PCP Theorem states that for any language in NP, there exists a PCP verifier with soundness 1/2 that uses 
O(logn) random bits and queries O(l) bits of the proof. Hence, the size of the proof needed by the verifier 
is 2°( logn ) = poly(n), polynomially larger than the size of the NP-witness. 

Subsequently, much work has been done in trying to reduce the length of the proof and to make its 
constructions simpler. The length of the proof is relevant to applications of PCP theory in cryptography 
and to constructions of locally testable codes (LTCs). Moreover, there is the possibility that a PCP system 
with short proof size could form the basis for a semantic analog of error-correcting codes. Simplifying 
the proof construction is also important for this reason. Some progress toward these goals were made in 
[BSS05] where Ben-Sasson and Sudan showed that there exist probabilistically checkable proofs for verifying 
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satisfiability of circuits of size n of length n ■ poly(logn), with the verifier querying poly(logn) bits of the 
proof. Moreover, the construction of the proof is significantly simpler than in previous PCP constructions. 
Their Theorem 1 states: 

Theorem 1 ([BSS05], Theorem 1): SAT has a PCP verifier that on inputs of length n tosses 
log(n • poly{\ogn)) coins, makes poly(logn) queries to a proof oracle of length n ■ poly(logn), runs in 
time n ■ poly (log n) and has perfect completeness and soundness at most |. 

This PCP construction involves the construction of probabilistically checkable proofs of proximity 
(PCPPs) for Reed-Solomon codes. PCPPs provide an even stronger restriction on the verifier's computation, 
compared to the standard PCP model. Whereas a PCP verifier has unrestricted access to the input string 
but is restricted to making only a few queries to the proof, a PCPP has restricted access to both the input 
and the proof. Formally: 

Definition 1 (PCPP) A set C C S n has a probabilistically checkable proof of proximity over 
alphabet S of length t{n) with query complexity q(n), perfect completeness and soundness s(-,n) if 
there exists a verifier V with oracle access to a pair (x,ir) £ j] n +^(» such that V tosses r(n) coins, 
makes q(n) queries into (x,tt) and accepts or rejects as follows: 

— If x £ C, then 3-zr £ S^( n ) such that verifier accepts (a;, 7r) with probability 1. 

— If A(a:, C) > 5, then W £ E^ n ), verifier rejects (a;, 7r) with probability at least s(8, n). 

[BSS05] provides efficient PCPPs for Reed-Solomon codes, which are defined next: 

Definition 2 (RS-Codes) The Reed-Solomon code of degree d over a field T evaluated at S C T 
is defined as RS(^ 7 , S, d)={(P(z)) z ^s '■ P{ z ) = Y2i=o a i zl , a i £ -T 7 }, where (P(z)) z ^s, the evaluation 
table of P over S, is the sequence (P(s) : s £ S) and S has some canonical ordering to make it a 
sequence. 

The primary result in [BSS05] regarding PCPPs for RS-codes that we are concerned with is the following: 

Theorem 2 ([BSS05], Theorem 4) There exists a universal constant c > 1 such that for every 
field T of characteristic two, every linear S C T with |5| = n and every d < n, the Reed-Solomon 
code RS(T, S,d) has a PCPP over alphabet T with proof length l{n) < nlog c n, randomness r(n) < 
logn + cloglogn, query complexity q(n) = O(l), and soundness s(S,n) > S/log c n. 

In this paper, we describe an actual implementation of this PCPP system for Reed-Solomon codes. 
Specifically, the following two programs are implemented: 

1. A prover that receives as input a description of the field T = GF(2 l ), a basis (b lt . . . , b/,) for LCf, 
a degree parameter d and a polynomial P : L — >• T of degree less than d, and that outputs a PCPP 
which is supposed to prove that (P(z)) z ^_l is in RS(T, L,d). 

2. A verifier that receives as input a description of the field T = GF(2 l ), a basis (6i, . . . , 6fc) for L C T, a 
degree parameter d and oracle access to a purported RS-codeword p : L — >• T and its purported PCPP 
it, and that accepts or rejects based on the proximity of p to RS(J r ,L,d). 

In the following, we detail these implementations and provide some tight bounds on the various com- 
plexity parameters associated with the PCPP system. These results establish that the constants associated 
with the PCPP size are not at all large and, so, could perhaps motivate the use of probabilistically checkable 
proofs in real-life as analogs to error-correcting codes. 



2 Implementation of the PCPP system 

The most basic operations in constructing and verifying the probabilistically checkable proofs of proximity 
described in [BSS05] are addition and multiplication in fields of characteristic two, extension fields of GF{2). 
To do these operations efficiently while maintaining a proper programmatic abstraction, I used the excellent 
C++ library NTL, developed by Victor Shoup [Sho]. NTL is a high-quality and portable C++ library 
providing an efficient programmatic interface for computations over finite fields. Our PCPP prover and 
verifier programs are implemented as dynamically-linked C++ libraries with dependencies on the base NTL 
library. Thus, users of our implementation can link to our prover and verifier modules to create a valid 
PCPP and verify provided PCPPs respectively. 

NTL represents elements of the field GF{2 1 ) as polynomials in GF{2) [x] modulo an irreducible polynomial 
P of degree I. Hence, in the following, I will view field elements as vectors from the (additive) vector space 
GF{2) 1 . For the prover to provide a proof acceptable to the verifier, it must use the same irreducible 
polynomial P as the verifier. Also, both must sequence the field elements in the same order, and both must 
use the same bases elements for any subspaces of T that are considered. 

2.1 Evaluation and Interpolation of Polynomials 

The following two problem need to be solved repeatedly while constructing and verifying our PCPPs: 

• (Evaluation) Given a finite field T of characteristic 2, coefficients co,...,c„_i £ T and linearly 
independent elements ei,...,ek £ T with n = 2 fc , compute the set {(a,p(a))\a £ span(ei, . . . , efc)} 
where p(x) = Ya=o c i x ' '■ 

• (Interpolation) Given a finite field T of characteristic 2, linearly independent elements e\, . . . , efc £ T 

and the set {(a,p a )\a £ span(ei, . . . , efc)}, compute coefficients Co,...,c n _i £ T such that p a = 

Ya=o ^ al f° r a11 a e s P an ( e i> • • • i e fc)- 

Both can be achieved with 0(n log 2 n) field operations 1 using a Fast Fourier Transform method. Here, I 
will describe the solution to the interpolation problem; the solution to the evaluation problem is very similar 
although not identical. The key ideas behind the interpolation algorithm are in the lemmas below: 

Lemma 1 Given ei,...,efc £ T, there exists a monk quadratic q{x) such that for every a £ 
span(ei, . . . , efc_i), q{a) = q(a + efc). Also, there exists vectors e' 1 ,...,e' kl £ T such that for all 
a £ span(ei, . . . , efc), q(a) £ span(e' 1 , . . . , e fc _ 1 ). Further, q and e^, . . . , e fcl can be computed in time 

o(k). 

Proof Let q{x) = x 2 — efc • x and let e\ = q{e{) for 1 < i < k — 1. Note that q(x + y) = q{x) + q{y) 
since we are in a field of characteristic 2. So, because g(efc) = 0, the first assertion is true. The second 
assertion holds since if a = Yli-i ^i e i with A; £ GF(2), then q(a) = Y2i=i l{^i e i) = Yli-i ^i9( e i)-0 

Lemma 2 Given the set {(a,p a )\a £ span(ei, . . . , efc)} and the monic degree 2 polynomial q and the 
elements {e^}^ 1 from Lemma 1, there exist sets {{a 1 , p° a ,)\a' £ span(e' 1 , . . . , e fc _ x )} and {(a' , p^,,)|a' £ 
span(e' 1 , . . . , e' fcl )} such that p a = p° a , a \ + a 'P\< a \ f° r a U a £ span(ei, . . . , efc). Moreover, the two sets 
can be computed in time 0(n). 

Proof Note that from the properties of q in Lemma 1, we want the two sets to be such that for all a £ 
span(ei,...,efc),p Q = P° q(a) + a-p\ (a) andp a+Sfc = P° q{a) + {a + e k )-p\ (a y So, p\ (a) = e k 1 ■(p a +e k ~Pa)- 
Also, then, p°„i a \ = p a — a -pl( a ) = Pa — £fc • {Pa+e k —Pa)- Assuming constant-time access to p a , these 
calculations can be done for all a' = q(a) £ span(e' 1 , . . . , e fc _ x ) in time 0(n).D 



1 Field operations take 0(log |^|) bit operations and will be taken to have unit time cost. 



Lemma 3 Given coefficients of two polynomials p°(x) and p 1 {x) of degree less than n/2 and any 
monic degree 2 polynomial q(x), then there exists a polynomial p{x) of degree less than n such that 
p{x) = p°(q(x)) + x ■ p 1 {q{x)). Moreover, the coefficients of p can be computed in time 0{n log n). 

Proof The existence statement is clear. We just have to give an efficient algorithm to find the 
coefficients of p(x). First of all, write p°{z) = b°{z) + z n / A a°(z) and p 1 {z) = b x {z) + z n / A a 1 {z), where 
a , a 1 , 6° and b 1 are polynomials of degree less than n/4. Recursively, we can find the coefficients of 

the polynomials a(x) and b(x), where a(x) = a°(q(x)) + x ■ a 1 {q{x)) and b{x) = b°(q(x)) + x ■ b 1 {q{x))\ 
a(x) and b(x) have degrees less than n/2. Now, p(x) = b(x) + q(x) n l A ■ a(x). Since n is a power of 2, 
if q{x) = x 2 + cx + d, then q{x) n l A = x n l 2 + c n l A x n l A + d n l A = x n l 2 + c'x n / A + d! . Writing a(x) = 

Ya=o X ^^ and b(x) = Ya=o ~ 1 Pi x \ we can see tnat Pi x ) = YllH _1 ( d ' a J + A)^ 1 + YH~n/l{ d ' a i + 

c'ai- n /4+ Pi)x l + ]Ci=!/2 ( a i-n/2 + ^O-i-nl^jX 1 + J2?=3n/A a i-n/2X l ■ Thus, we can get the coefficients 
of p{x) from the coefficients of a{x) and b{x) in 0(n) time, and so the total time for the recursion is 
0{n log n) as claimed. □ 

Given these lemmas, the interpolation algorithm follows: 

InvFFT-Additive(ei, . . . , e fc , {{a,p a )\a G span(ei, . . . , e fc )}) 

1. Compute q(x), e[, . . . , e' kl as by Lemma 1. 

2. Compute {(a',p°,)|a' £ span(e' 1 , .. . ,e' fe _ 1 )} and {(a',p^,)|a' £ span(e' 1 , .. . ,e' fc _ 1 )} as by Lemma 2. 

3. Compute p°(z) = InvFFT-Additive(e' 1 , . . . , e' k _ x , {{a' , p° a ,)\a' G span(e' 1 , . . . , e'^)}). 

4. Compute p 1 (x) = InvFFT-Additive(ei, . . . , e' k _ lt {(a' , p^a' E span(ei, . . . , e^J}). 

5. Compute p{x) from p°(x) and p 1 {x) as by Lemma 3. 

The running time for the algorithm is 0(n log n) because each recursion halves the span of the bases 
elements. During implementation, a choice must be made as to the data structure to be used in storing the 
evaluation table of a polynomial. Although in the proof of Lemma 2, we assumed that we need constant- 
time to retrieve p a given a, our implementation uses an associative data container, based on a red-black tree 
which has a O(logn) access time. It can be checked that this does not affect 2 the asymptotic running time 
for the interpolation and evaluation algorithms. (The choice to use a logarithmic-time container instead of 
a constant-time container was made merely for convenience reasons; the C++ Standard Template Library 
provides the map data type, while there is no corresponding type for a hash table.) 

The C++ data structure declarations and function signatures associated with evaluation and interpola- 
tion of polynomials are shown in Listing 1. The code listing shows the two most important NTL types that 
are used in the PCPP implementation. GF2E is the type of an element in an extension field of GF(2), and 
GF2EX is the type of a polynomial with coefficients of type GF2E. Before its first use, GF2E needs to be ini- 
tialized with an irreducible polynomial in GF{2) [x] to specify the extension of GF(2). More details regarding 
the NTL programmatic interface to finite field computations can be found at http : //www . shoup . net. 



Listing 1: Evaluating and interpolating polynomials on fields of characteristic two 
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2 Comparison of two field elements in traversing the red-black tree takes ©(logl^ 7 !) time, same as that for any other field 
operation. As before, we take field operations to have unit time cost. 



// (ltGF2E is the comparison operator on field elements) 
map<GF2E, GF2E, ltGF2E> evalmap; 

// Given x, return f(x), assuming <x,f(x)> is in evalmap. 

// Running time: (log n) 

GF2E query (const GF2ES x) const; 

// Store the pair <x,y> 

// Running time: (log n) 

void insert (const GF2E& x, const GF2E& y) ; 

// Clear the evaluation table 
// Running time: 0(1) 
void clear ( ) ; 



/** Store in <table> the evaluation of the polynomial <poly> on the set of 

* n=2"k field elements spanned by the k elements in <bases> . 

* Running time: (n (log n) '2) 
*/ 

void eval_poly (eval_tables table, const GF2EX& poly, const vec_GF2E& bases); 

/** Make <poly> the polynomial interpolated from <table>, the 

* evaluation table of a function at each element spanned by <bases> . 

* Running time: (n (log n) '2) 
*/ 

void interpolate_poly (GF2EX& poly, const eval_table& table, const vec_GF2E& bases); 



2.2 The P rover 

In this section, I will detail the implementation of the PCPP prover, the program that, given a polynomial 
over a field T of degree less than d and a subspace LCf, constructs a valid probabilistically checkable 
proof of proximity that shows that the polynomial's evaluation table over L is in RS(!F,L,d). The algorithms 
that appear in this section and the next are taken from [BSS04], the full version of the conference paper by 
Ben-Sasson and Sudan. 

Throughout this paper, we will only consider the case when d is fixed to be 151/8. As is shown in [BSS04], 
the more general case can be reduced to a sequence of these special PCPPs. It is convenient to think of 
the proof, not as a string of bits, but as an oracle that can be queried; the advantage of this viewpoint will 
become very apparent when we describe the verifier. The basic idea of the PCPP construction is that we 
convert a univariate polynomial of degree less than n/8 into a bivariate polynomial of degree less than -Jn in 
each variable and then we invoke the Polischuk-Spielman analysis from [PS94] to reduce testing of bivariate 
polynomials to testing of univariate polynomials of approximately the same degree. To describe the proof 
more precisely, we will introduce the same notation as that used in [BSS04]. Throughout, assume that we 
are given a specific set of bases (&i, . . . , b k ) for a linear subspace L of the field and that n = 2 k = \L\. Define 
the following: 

• L = span(bi,...,b[fe/2j) 

• Lo = span(bi, . . . , &Lfc/2j+2) 

• Li = span(b[_ fc/2 j+i, ...,b k ) 



• 90) = rL e L 0-aO 

• Li = span(g(& Lfc/2 j + i), . . . , q(b k )) 

• As = {/3 + a\a £ L }, the affine shift of L by /3 

• For J3 £ Li L- = { s P^{ L o,hk/2\+ 3 ) if £ G span(& Lfc/2 j + i,& Lfc/2 j +2 ) 

1(3 \ span(Lo,/3) otherwise 

• T = {(7,g(7))l7Gi} 

Next, we make a few observations that the reader can easily verify to follow directly from the above defini- 
tions. Firstly, q{x) is a GF{ 2)-linear map with Lq as its kernel (see Proposition 8 in [BSS04]). Secondly, for 
all P £ Li, \Ls\ = 4|Lo| = 8|Lo| from the definition of Ls. Thirdly, it is clear that for all (3 £ L\, Ls is a 
linear set while As C Ls is not linear unless /3 = 0. Finally, note that 

T = \jA x q(P) 

/3gLl 

which follows from the fact that q is a linear transformation with kernel Lq. 

Using the above notation, the structure of the Reed-Solomon PCP of proximity oracle is: 

Definition 3 ([BSS04], Definition 4) The proof oracle for a codeword of the RS-code RS(GF(2 l ),L,\L\/8) 
is defined by induction on k = dim(L). If k < 6, then it is empty. Otherwise, the proof is a pair 
7r = {/, 11} where / is a partial bivariate function over partial domain S C GF(2 l ) x GF(2 l ) and n is 
a sequence of PCPPs for RS-codes over smaller linear spaces. 

Partial domain S: Let Sg = L^x {q{P)} and let T = {(7,g(7))|7 £ L}. Then 
S=(\JsA-T=\J ((L - A ) x {q(P)}) 

V/3SL! / /3SLJ 

Auxiliary proofs IT: For each P £ L\ and /3 = q{P) £ L\, II has one PCPP for an RS codeword 
over Ls of degree \Ls\/8, denoted irt* . For each a £ Lo, II includes a PCPP for an RS codeword 

over L\ of degree |Lo|/8, denoted Wa- Formally, 

n = {7r^|/3£L 1 }u{7rJ|a£L } 

The C++ declaration of the PCPP object, shown in Listing 2, reflects the recursive structure of the proof 
described above. 



Listing 2: Declaration of the PCPP data type 



/** Analog of eval_table for a bivariate polynomial 

*/ 
struct biv_eval_table { 

map<GF2E, eval_table, ltGF2E> evalmap; 

GF2E query (const GF2E& x, const GF2E& y) const; 
void insert (const eval_table& xvals, const GF2E& y) ; 
void clear ( ) ; 



}; 
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// Evaluation of f 


on S 
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> proof; 
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poly_oracle* next; 
}; 













Now, having specified the form of a correct PCPP in Definition 3, we need to specify its contents, the 
bivariate polynomial / and the auxiliary proofs II. 

• Construction of /: Given the polynomials p and q, construct the unique bivariate polynomial 
Q(x,y) with deg a .(Q) < deg(g) and &&g y {Q) < [deg(p)/deg(g)J such that p{x) = Q(x,q(x)) for all 
x £ L. That such a Q exists and is unique is given by Proposition 7 in [BSS04], and the algorithm to 
compute it is discussed below in 2.2.1. In our case, p is of degree n/8 while q is roughly of degree \fn\ 
so, Q is roughly of degree </n in x and \fn/& in y. Now, define /(a,/3) = Q(a,P) for all (a,/3) £ S. 
This is the bivariate function whose evaluation table over S is provided in the PCPP. 

• Construction of II: Denote by p : T — ► T the bivariate polynomial defined by p(x, q{x)) = p{x) 
for all a; £ L 3 . Then let / be the function that agrees with / on S and p on T. Also define 

f\£ : {a\{a,P) £5uT}^fas f\£{a) = f{a,/3). Similarly, define f\{ : {/3|(a,/3) £ S U T} -> T 

as f\a[P) = f(a,P). It is fairly easy to verify (see Proposition 10 in [BSS04]) that for /3 £ L\ and 
P = q0), {a\(a,P) £ S U T} = L^ and that for a £ L , {/3|(a,/3) £ SuT} = L 1 . Then for J3 £ L x 
and P = q(P), irt? is the PCPP proving that /|t* is a codeword in RS(^ 7 , Ls, \Ls\/8), and for a £ Lq, 
TTa is the PCPP proving that f\a is a codeword in RS(J r , L\, |Li|/8). 

This same description in C++ code is given in Listing 3. 



Listing 3: Construction of Reed-Solomon PCPPs 

// d = ILI/8 

void ReedSolomon_PCPP (poly_oracle& pcpp, const GF2EX& poly, const vec_GF2E& L_bases) { 

vec_GF2E L00_bases, L10_bases, L0_bases, Ll_bases, Lbeta_bases; 

long k = L_bases . length () , i, j; 

GF2EX q, frow, fcol; 

vec_GF2EX f; 

vec_GF2E L0_span, L10_span, Lbeta_span, Ll_span; 

GF2E betaO, beta, tmp; 

eval_table coleval, roweval; 

biv_eval_table bioracle; 

if (LJoases. length () > 6) { // 6 because floor (k/2) +3<k for k>=7 

3 Notice that a verifier does not need a separate evaluation table for p because it can simply use the provided evaluation 
table for p; separately evaluating p and / is crucial to proving the soundness of the verifier. 



// get the bases for La, La and L\ . 

get_LOO_bases (LOO_bases, L_bases) ; 
get_LO_bases (LO_bases, L_bases) ; 
get_L10_bases (L10_bases, L_bases) ; 

// get q of degree approximately i/n 
LinearizedPoly (q, L00_bases); 

// get the bases for L\ 

get_Ll_bases (Ll_bases, L10_bases, q) ; 

// get all elements in L\, La and L\ for later use 
get_span (L10_span, L10_bases); 
get_span (L0_span, L0_bases) ; 
get_span (Ll_span, Ll_bases) ; 

// get the bivariate polynomial f 

create_bivariate ( f , poly, q, L10_span) ; // given in Listing 4 

// evaluate the bivariate polynomial f on SUT 
for(i=0; i<L10_span . length () ; i++){ 

betaO = L10_span [i] ; // for each (3 £ L\ 

/ / get the bases for Lg 

get_Lbeta_bases (Lbeta_bases, betaO, L_bases) ; 

// Find f(a,q(J3)) for all a 6 Lg, i.e. the q((3)-row of SUT 

roweval . clear ( ) ; 

eval_poly (roweval, f[i], Lbeta_bases) ; 

bioracle . insert (roweval, EvalLinearizedPoly (q, betaO)); 



// Construct the auxiliary proofs IT 

vector<poly_oracle*> proof s (L10_span . length () + L0_span . length ()) ; 

// Construct the proofs 7rJ* for all f3 £ L\ with /3 = q(/3) 
for(i=0; i<L10_span . length () ; i++){ 

proofs. at (i) = new poly_oracle; 

get_Lbeta_bases (Lbeta_bases, L10_span[i], L_bases) ; 

// proof that f\£ is in RS (T , L^, \Lp\/8) 

ReedSolomon_PCPP (*proof s . at (i) , f[i], Lbeta_bases) ; 



t 
// Construct the proofs 7r^ for all a £ L 

for(i=0; i<L0_span. length () ; i++) { 

coleval . clear ( ) ; 

proof s . at (i+Ll_span . length () ) = new poly_oracle; 

for(j=0; j<Ll_span. length () ; j++) { 

coleval .insert (Ll_span [j], bioracle. query (L0_span [i] , Ll_span [ j ] ) ) 



interpolate_poly (f col, coleval, Ll_bases); 






// proof that f\t is in RS (F, L lt |Li |/8J 






ReedSolomon_PCPP (*proofs.at (i+Ll_span . length ( ) ) , 

\ 


fcol, 


Ll_bases) ; 


i 

pcpp . eval = bioracle; 






pcpp. proof = proofs; 
} 
pcpp . next = 0; 










return; 

} 







2.2.1 Running Time of the Prover 

Let T(n) denote the running time of the algorithm shown in Listing 3 for n = \L\. Let Tf(n) denote the 
time required to find the bivariate polynomial /. Then from inspection of the algorithm, it can be seen that 
asymptotically: 



T(n) 



T f {n) + 0(2T fc / 2 l(8 • 2 L fc / 2 J bg 2 (8 • 2L fc / 2 J))) + 2^/21 . T ( 8 . 2 L fc / 2 J ) + 4 • 2 L fc / 2 J . T(2T fc / 2 l) if k > 6 
if k < 6 

T f {n) + 0(nlog 2 (n)) + 2^1 . T ( 8 . 2 L fc /2j) + 4 . 2 l k / 2 i • T(2T fc / 2 l) if k > 6 
if k < 6 



where k = log(n). So, we need to find Tf(n) in order to solve the recurrence above for T{n). Recall that / is 
the restriction to S of a bivariate polynomial Q which satisfies the relationship, Q(x, q{x)) = p(x), on T and 
which has deg x (Q) < deg(g) and deg y (Q) < [deg(p)/deg(g)J. Also, notice from Listing 3 that we represent 
a bivariate polynomial over x and y as a sequence of univariate polynomials over x, one for each value of y in 
the domain. The algorithm that we use for calculating Q uses division over the ring of bivariate polynomials. 
Note that if we fix a lexicographic ordering on terms with x > y, then dividing p(x) by q{x) — y, we obtain 

p{x) = Q'{x, y) ■ {q{x) - y) + Q{x, y) 

It can be easily checked that this remainder Q(x, y) has the requisite properties. For our representation, we 
want to evaluate Q(x,[3) for all j3 £ L\. The following lemma asserts that Q(x,[3) is the remainder after the 
univariate division of p{x) by q{x) — f3. 

Lemma 4: Let T[x, y] be the ring of bivariate polynomials with the lexicographic ordering x > y on 
terms. Suppose / £ F[x\ and g £ T[x,y\. Also, g(x,y) = m{x) + n(y) where m £ T[x\ and n £ T[y\. 
Let h(x,y) be the remainder after dividing f(x) by g(x,y). Then, for any a £ J 7 , if h a (x) is the 
remainder after the univariate division of f(x) by ^(a;, a), then h a (x) = h(x, a). 

Proof: Fix a £ T. Let f(x) = s(x,y)g(x,y) + h(x,y) and f(x) = s a (x)g(x,a) + h a (x). We 
have deg x (h) < deg x (g) anddeg(/i a ) < deg(5(a;,a)) = deg x (g). Now, s(x, a)g(x, a) + h(x, a) = 
s a (x)g(x,a) + h a (x), or 

h(x, a) - h a (x) = g(x, a)(s a (x) - s(x, a)) 

If (s a (x) — s(x, a)) is not zero, then the degree of the right hand side is at least deg(g(x, a) = deg x (g) 
and so must the degree of the left hand side, contradicting what we said before. So, h(x, a) — h a {x) = 0. 

□ 



Thus, we can represent Q by performing one univariate division for each j3 = q{0) £ L\. This algorithm in 
C++ code is given in Listing 4. 



Listing 4: Construction of the bivariate polynomial Q 



void create 


_bivariate 


(vec_ 


_GF2EX& bivs 


, const 


GF2EX& P, 












const GF2EX& q, 


const vec_GF2E& 


L10_ 


.span 


) { 


GF2EX qp; 


















GF2E trap; 


















bivs . SetL 


ength (L10_ 


span 


length () ) ; 












for (long 


i=0; KL10 


_span . length ( ) ; 


i++) { // 


For each 


pe 


h 




tmp = E 


valLinearizedPoly (q, L10_s 


pan [i] ) ; 










qp = q 


- GF2EX(0, 


tmp) ; 














bivs [i] 
} 
} 


= P % qp 

















Univariate division of two degree d polynomials can be reduced to multiplication of two degree d polyno- 
mials using the Sieveking-Kung method (see [vzGG99]); thus, univariate polynomial division can be achieved 
in O(dlogd) field operations. This is how polynomial division in NTL is implemented. Since we are per- 
forming -Jn divisions of an n/8-degree polynomial, we have for this algorithm, Tf(n) = 0{n z l 2 log(n)). 

Then, we can rewrite the recurrence for T(n) as: 



T{n) 



0(n 3 / 2 log(n)) + 2r fc / 2 l - T(8 - 2L fc / 2 J) + 4- 2L fc / 2 J • T(2l" fc /2"l) if k > 6 
if k < 6 



(1) 



again with k = log(n). 

Lemma 5: T(n) = 0{n 3 / 2 logn). 

Proof: We prove by induction that T(n) < c ■ n 3 / 2 (log n — 6) for an appropriate choice of c and for 
sufficiently large n. For k > 6, 8 • 2 L fc / 2 J < 2 fc and hence, we start by assuming that the bound to be 
proven holds for the recursive calls in (1). For large enough n, there exists a constant d such that: 

T(n) < d ■ n 3 ' 2 log(n) + 2 T fc / 2 1 . T(8 • 2 L fc / 2 J ) + 4 • 2 L fc / 2 J . T {2^l 2 ^) 

<d-k- n 3 / 2 + c . 2 r fc /2l 2 9/2 2 3Lfc/2j/2 (3 + y k/2 \ - 6) + 4c- 2 L fc / 2 J 2 3 T fc / 2 1 / 2 ( r^/21 - 6) 



<d-k- n 3 / 2 



,3/2 



,3/2 



= n s/2 (dk+ -(k-9)) 
< c-n 3 / 2 {k-Q) 

The first inequality follows from the defining recurrence relation for T(n) in (1). The second inequality 
follows from the inductive hypothesis. The third inequality follows from observing that for k > 22, 
l + llll < |- land2 +Hll < |- 1 - The fourth equality is algebra. The fifth inequality follows 
from having an appropriately large c. As for the base case of the induction, we choose a c so that 
c • n 3 / 2 (logn - 6) is larger than T(2 14 ) and T(2 12 ) because these are the values that T(2 23 ) depends 
on. □ 
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So, finding the bivariate polynomial / is the main bottleneck in constructing the PCPP and leads to the 
rather large running time of the prover in Lemma 5. It remains an open question whether the running time 
of the prover for this PCPP system can be improved. 

2.2.2 Proof Size 

As mentioned in the introduction, the size of the PCPP is an important parameter in many applications of 
the theory. Having a nearly linear proof size has consequences for the construction of locally testable codes, 
for example. We will show that our PCPPs indeed have this property. 

Looking at Listing 3, the proof size 4 , S(n), can be recursively characterized as: 



S(n) 



2 r*/al . (8 • 2 L fc /2J ) + 2 [*/2l . T(8 ■ 2 L fc / 2 J ) + 4 • 2 L fc / 2 J . T(2 r fc / 2 1 ) if ft > 6 
if ft < 6 

8n + 2 T fc /21 . T ( 8 . 2 L fc /2J ) + 4 • 2 L fc / 2 J . T(2 T fc / 2 1 ) if k > 6 
if ft < 6 



(2) 



Lemma 6: S(n) = 0(n log n) 



Proof: We prove by induction that S(n) < c • n log n for an appropriate value of c. We will assume 
that this bound holds for the recursive calls in (2). Then, we have: 



S{n) <8n + 2T fc / 2 l • c - 8 • 2L fc / 2 J 

4 



8n + 8cn 



< &n+ Ylcn 



< en log n 



+ 3 



4cn 



+ 3) + 4 - 2L fc / 2 J • 



c-2 



rfc/2i 



The first inequality is the inductive hypothesis. The second equality is from simplification. The third 
inequality follows from [ft/2] < [ft/2] + 1. The fourth inequality holds for large values of ft (since 
12 < 2 4 ). For the base case of the induction, take c to be large enough so that the bound holds for the 
values of n where the fourth inequality is true. □ 

Although the proof to the lemma above treats the bounds loosely, the 0(n log 4 n) bound to the solution 
of the recursion in (2) is pretty tight. In fact, we find from running our program that S(n) = |nlog 4 n is a 
good bound for the proof size. 

2.3 The Verifier 

The verifier for the Reed-Solomon PCPP uses the bivariate polynomial test analyzed in [PS94] to check that 
the provided input is indeed close to a Reed-Solomon codeword. All this is done by querying only a constant 
number of field elements! The test made by the verifier is described in [BSS04] as follows: 

Definition 4 ([BSS04], Definition 5) The verifier for proximity to RS(GF(2 l ),L,d = |L|/8) receives 
as input the parameters GF(2 i ), a basis (61, ... , 6fc) for L and degree parameter d = \L\/8. It has oracle 
access to a purported codeword p : L — > GF(2 i ) and its purported proof 7r = {/, 11} and is denoted 
Vftg* (GF(2 e ), L, d). If \L\ < 64 (in which case 7r = 0), the verifier reads p in entirety and accepts iff 



4 We count the number of field elements in the proof. Counting the number of bits leads to another factor of log^. 
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p £ RS(GF(2 i ), L, \L\/8). Otherwise, it computes [k/2\ and performs one of the following two tests 
with probability half each. 

Row- Test Pick random j3 G Li, set j3 = q((3), compute basis for La and recursively run 



V Wp.*p\ GF{2 t )iL0AL$m 



(f\l,*l) 



Col- Test Pick a £ Lq at random, compute basis for Li and then recursively run V^g ° (GF(2 i ), Li, |Li|/8) 

In the above definition, / is the bivariate function that agrees with the evaluation table of / on S and 
with p on T. Recall from Section 2.2 that p is is a partial bivariate function with the partial domain T, 
defined to be p{x, q(x)) = p{x). So, at the top level, when a row or column of / is selected, some of its values 
can be retrieved from querying the bivariate polynomial evaluation table (for /) provided in the PCPP 
while for others, the input string (the evaluation for p) must be queried. As the verifier gets deeper into the 
recursion tree, determining where to look in the PCPP for an evaluation of / requires looking back at the 
decision tree of choosing row-tests or column-tests and determining at each level if the needed evaluation 
of / is contained in the bivariate evaluation table at that level. Instead of complicating the implementation 
of the verifier, it is easier to restructure the proof as an oracle program that automatically determines the 
correct place to look in itself for an evaluation of /. Such a program implemented in C++ is shown in 
Listing 5. 



Listing 5: Implementation of a Proof Oracle 



enum Level {TOP, ROW, COL}; 

struct verif ier_oracle { 
// Evaluation of f on S 
const biv_eval_table* table; 

// Looking at row or column <header> of f 
GF2E header; 

// Pointer to the proof oracle that should be queried for 

// evaluations on T 

const verif ier_oracle* parent; 

// If this is the top level, evaluation table of the univariate 

// polynomial p 

const eval_table* orig_poly; 

// The level: top, a row, or a column 
Level lev; 

// The linearized polynomial q 
GF2EX q; 

// Constructor for the top level 

verif ier_oracle (const eval_table* orig) { 

orig_poly = orig; 

lev = TOP; 

parent = 0; 
} 
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// Constructor if this is the row or column projection 

verif ier_oracle (const verif ier_oracle* par, const biv_eval_table* tab, 
Level roworcol, GF2E& val, GF2EX& qp) { 

parent = par; 

table = tab; 

lev = roworcol; 

header = val; 

q = qp; 
} 

// .Recursive guery 

GF2E query (const GF2E& ask) const { 
if (lev == TOP) 

return orig_poly->query (ask) ; 

else if (lev == ROW) { 

if (EvalLinearizedPoly (q, ask) != header) { 

return table->query (ask, header) ; 
} 
else{ 

return parent->query (ask) ; 



else 

if (EvalLinearizedPoly (q, header) != ask) { 
return table->query (header, ask) ; 

} 

else : 

return parent->query (header) ; 



Using this proof oracle structure, the implementation of the verifier is simple and direct. It is shown 
below. 



Listing 6: Implementation of the PCPP verifier of [BSS04] 

/** Verify if indeed <proof> is a valid PCPP that shows that <poly> 

* is the evaluation table of a polynomial of degree less than jLj/8. 

*/ 
bool verify_proof (const vec_GF2E& L_bases, const eval_table& poly, 
const poly_oracle& proof) { 

verif ier_oracle* root = new verif ier_oracle (spoly) ; 

return verif y (L_bases, *root, proof); 
} 

/** A helper procedure for the above 

*/ 
bool verify (const vec_GF2E& L_bases, const verif ier_oracle& oracle, 
const poly_oracle& proof) { 
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long k = L_bases . length () , index, i; 

vec_GF2E L00_bases, L10_bases, L0_bases, Ll_bases, Lbeta_bases, L_span; 

poly_oracle *rowproof, *colproof; 

verif ier_oracle* next; 

GF2E choice, qchoice; 

GF2EX q, poly; 

int rand; 

// if k < 7, simply read in all of the input, interpolate a 
// polynomial, and check its degree 
if (k < 7) { 

get_span (L_span, L_bases) ; 

eval_table polyvals; 

// maximum of 64 queries here 
for(long i=0; i<L_span . length () ; i + + ) { 

polyvals .insert (L_span [i], oracle. query (L_span [i] ) ) ; 



interpolate_poly (poly, polyvals, L_bases); 

if(deg(poly) < power_long (2, k-3) ) 

return true; 
else 

return false; 
} 

else { 

// get the bases for La, La, L\ and L\ 
get_L00_bases (L00_bases, L_bases) ; 
get_LO_bases (L0_bases, L_bases) ; 
get_L10_bases (L10_bases , L_bases); 

LinearizedPoly (q, L00_bases); 
get_Ll_bases (Ll_bases , L10_bases, q) ; 



// flip a coin 

if (getRandomBit ( ) == 1) { // check row 

index = 0; 

for(i=0; i<L10_bases . length () ; i++) { // choose random element (3 £ L\ 

rand = getRandomBit () ; 

index = index + rand * power_long (2 , i) ; 

choice += rand * L10_bases [L10_bases . length () -i-1] ; 
} 

// P = Q0) 
qchoice = EvalLinearizedPoly (q, choice) ; 

// get 7T^ 

rowproof = proof . proof [ index] ; 

next = new verif ier_oracle (Soracle, & (proof . eval) , ROW, qchoice , q) 
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get_Lbeta_bases (Lbeta_bases, choice, L_bases) ; 




// recurse 




return verify (Lbeta_bases, *next, *rowproof ) ; 
} 




else { // check column 




index = 0; 




for(i=0; i<L0_bases . length () ; i++) { // choose random element a £ Lo 




rand = getRandomBit ( ) ; 




index = index + rand * power_long (2, i) ; 




choice += rand * L0_bases [L0_bases . length () -i-1 ] ; 
} 




// get 7r£ 




colproof = proof .proof [ index + power_long (2, L10_bases . length ())] ; 




next = new verif ier_oracle (Soracle, & (proof . eval) , COL, choice, q) ; 




//recurse 


} 


return verify (Ll_bases, *next, *colproof ) ; 
} 
} 



The query complexity of the verifier is immediate. The verifier queries at most 64 field elements and, 
hence, at most 64 log \T\ bits. Next, we look at some other complexity parameters associated with the PCPP 
verifier. 

2.3.1 Randomness Complexity 

In [BSS05], it is ascertained that the randomness complexity is r(k) < k + c ■ logk for a constant c. Here, 
we give a tighter bound for r(k). 

First of all, note that the exact number of coins flipped by the verifier depends on its decision tree of 
choosing between row-tests and column-tests; this is so because \Ls\ and |Li| are different for all (3. We 
want to determine the maximum number of coins that can be be flipped by the verifier, i.e. an upper bound 
on r(k). Thus, looking at the definition of the verifier, we can write: 

r(k)<i 1 + max (^l+''(^J+3),2+[|J+r([|l)) if k > 6 

V ' ~ \ if k < 6 

Lemma 7: r(k) < k + A[log(k - 6)J - 1 

Proof: Can be verified immediately through a straightforward induction. 

The randomness complexity also allows us a way to bound the proof size, because S(n) < 2 r ^q(n) 
where S(n) is the proof size and q(n) is the query complexity. So, once again, S(n) = 0(n log n). 

2.3.2 Running Time of the Verifier 

Let ty{k) denote the running time for the verifier. Then, we have that: 
Lemma 8: t v {k) = 0(k 3 ). 
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Proof: Prom inspecting the algorithm given in Proposition 8 of [BSS04], q(x), the linearized poly- 
nomial, has k terms and can be computed in time 0(k 3 ). It can be evaluated in time 0(k 2 ). Thus 
computing the basis for L\ takes time 0(k 3 ) and similarly for computing the basis for Ls given /3. 
Therefore, we can write the following recursion: 

t v {k) = 0(k 3 ) + ma.x(t v (lk/2\ + 3), t v ( \k/2] )) 
= 0(k 3 )+t v ([k/2\+3) 

since ty is monotonically increasing. A simple induction shows that ty{k) = 0{k 3 ). 

3 Conclusion 

Our tight bounds on the complexity parameters related to Reed-Solomon PCPPs show that it is indeed 
feasible in practice to create PCPPs as a semantic analog to error-correcting codes. The question of improving 
the time performance of the prover remains open. 
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